RTシリーズのIPパケット・フィルタに関するFAQ
IPパケット・フィルタリング機能のインタフェースへの適用位置
| 最終変更日 | 2018/Nov/06 |
| 文書サイズ | 36KB |
IPパケット・フィルタリング機能がどこで働くかわからない。
[ 目次 ]
[ 説明図 ]
[ 図説している機能 ]
:
[BRI] : ISDN回線 or 専用線
:
+-----------------+-------------------+
| | |
| +-----------------------------+ |
| | PPPやISDN回線の処理 | |
| +-----------------------------+ |
| | |
| +-----------------------------+ |
| | パケット・キュー | | …優先制御や帯域制御を使う/使える時
| | (↓) +----(↑)----+ | | queue class filter ...
| | | queue | | | pp queue type ...
| | (↓) +----(↑)----+ | | pp queue class filter list ...
| +-----------------------------+ | pp queue class property ...
| | |
| | <外側> |
| +-----------------------------+ |
| | NAT | |
| | +----------(1)----------+ | |
| | | ▲ | | |
| | | 管理テーブル | | |
| | +-----------------------+ | |
| +-----------------------------+ |
| | <内側> |
| | |
| +-----------------------------+ |
| | IPフィルタ | |
| | +----(↓)----+----(↑)----+ | | ip filter ...
| | | in | out | | | ip pp secure filter in/out ....
| | +----(↓)----+----(↑)----+ | |
| +-----------------------------+ |
| | |
| (PP#n) |
| | |
| +-----------------------------+ |
| | IPルーティング | |
| +-----------------------------+ |
| | |
| (LAN) |
| | |
| +-----------------------------+ |
| | IPフィルタ | |
| | +----(↑)----+----(↓)----+ | | ip filter ...
| | | in | out | | | ip lan secure filter in/out ....
| | +----(↑)----+----(↓)----+ | |
| +-----------------------------+ |
| | |
| +-----------------------------+ |
| | パケット・キュー | | …優先制御や帯域制御を使う/使える時
| | (↑) +----(↓)----+ | | queue class filter ...
| | | queue | | | lan queue type ...
| | (↑) +----(↓)----+ | | lan queue class filter list ...
| +-----------------------------+ | lan queue class property ...
| | |
| +-----------------------------+ |
| | イーサネットの処理 | |
| +-----------------------------+ |
| | |
+-----------------+-------------------+
|
[LAN] |
|
------------------+--------------------
[ 図説している機能 ]
:
[BRI] : ISDN回線 or 専用線
:
+-----------------+-------------------+
| | |
| +-----------------------------+ |
| | PPPやISDN回線の処理 | |
| +-----------------------------+ |
| | |
| +-----------------------------+ |
| | パケット・キュー | | …優先制御や帯域制御を使う/使える時
| | (↓) +----(↑)----+ | | queue class filter ...
| | | queue | | | pp queue type ...
| | (↓) +----(↑)----+ | | pp queue class filter list ...
| +-----------------------------+ | pp queue class property ...
| | |
| | <外側> |
| +-----------------------------+ |
| | NATディスクリプタ | | nat descriptor ...
| | +-(1)-+-(2)-+-(3)-+-(4)-+ | | ip pp nat descriptor ...
| | | ▲ | ▲ | ▲ | ▲ | | |
| | +-----+-----+-----+-----+ | |
| +-----------------------------+ |
| | <内側> |
| | |
| +-----------------------------+ |
| | IPフィルタ | |
| | +----(↓)----+----(↑)----+ | | ip filter ...
| | | in | out | | | ip pp secure filter in/out ....
| | +----(↓)----+----(↑)----+ | |
| +-----------------------------+ |
| | |
| (PP#n) | ip pp local address
| | |
| +-----------------------------+ |
| | IPルーティング | |
| +-----------------------------+ |
| | |
| (LAN) | ip lan address
| | |
| +-----------------------------+ |
| | IPフィルタ | |
| | +----(↑)----+----(↓)----+ | | ip filter ...
| | | in | out | | | ip lan secure filter in/out ....
| | +----(↑)----+----(↓)----+ | |
| +-----------------------------+ |
| | |
| | <内側> |
| +-----------------------------+ |
| | NATディスクリプタ | | nat descriptor ...
| | +-(1)-+-(2)-+-(3)-+-(4)-+ | | ip lan nat descriptor ...
| | | ▼ | ▼ | ▼ | ▼ | | |
| | +-----+-----+-----+-----+ | |
| +-----------------------------+ |
| | <外側> |
| | |
| +-----------------------------+ |
| | パケット・キュー | | …優先制御や帯域制御を使う/使える時
| | (↑) +----(↓)----+ | | queue class filter ...
| | | queue | | | lan queue type ...
| | (↑) +----(↓)----+ | | lan queue class filter list ...
| +-----------------------------+ | lan queue class property ...
| | |
| +-----------------------------+ |
| | イーサネットの処理 | |
| +-----------------------------+ |
| | |
+-----------------+-------------------+
|
[LAN] |
|
------------------+--------------------
2つのPP側とLAN側を図にしてみました。
: ISDN,専用線,...
PP側,BRI側 :
+--------------------------------+----------------------------------+
| [BRI] |
| (PP#1) | | (PP#2) |
| +--------------------+ +--------------------+ |
| | | |
| +--------------+ +--------------+ |
| | NAT | ← nat use → | NAT | |
| |IPマスカレード| ← nat masquerade → |IPマスカレード| |
| +--------------+ +--------------+ |
| | | |
| +------------+ +------------+ |
| | IPフィルタ | ← ip pp secure filter → | IPフィルタ | |
| +------------+ +------------+ |
| | | |
| +------+-------------------------------------------+--------+ |
| | | |
| | IPルーティング | |
| | | |
| +----------------------------+------------------------------+ |
| | |
| +------------+ |
| | IPフィルタ | ←ip lan secure filter |
| +------------+ |
| | |
| [LAN] |
+--------------------------------+----------------------------------+
LAN側 |
|
====================================================
| 出口\入口 | LAN1 ↓ | PP#1 ↓ | PP#2 ↓ |
| LAN1← | IN ↓ IPルーティング ↓ △ |
NAT ↓ IN ↓ IPルーティング ↓ OUT |
NAT ↓ IN ↓ IPルーティング ↓ OUT |
| PP#1← | IN ↓ IPルーティング ↓ OUT ↓ NAT |
NAT ↓ IN ↓ IPルーティング ↓ × |
NAT ↓ IN ↓ IPルーティング ↓ OUT ↓ NAT |
| PP#2← | IN ↓ IPルーティング ↓ OUT ↓ NAT |
NAT ↓ IN ↓ IPルーティング ↓ OUT ↓ NAT |
NAT ↓ IN ↓ IPルーティング ↓ × |
NAT機能とパケットフィルタ機能とルーティング機能
:
[BRI] : 専用線
: RT140e/f
+-----------------+-----------------------------------------------------+
| | |
| +-----------------------------+ |
| | PPPやISDN回線の処理 | |
| +-----------------------------+ |
| | |
| +-----------------------------+ |
| | パケット・キュー | |
| | (↓) +----(↑)----+ | |
| | | queue | | |
| | (↓) +----(↑)----+ | |
| +-----------------------------+ |
| | |
| | <外側> |
| +-----------------------------+ |
| | NAT | |
| | +----------(1)----------+ | |
| | | ▲ | | |
| | | 管理テーブル | | |
| | +-----------------------+ | |
| +-----------------------------+ |
| | <内側> |
| | |
| +-----------------------------+ +-----------------------------+ |
| | IPフィルタ | | 自己アドレスの処理 | |
| | +----(↓)----+----(↑)----+ | | | |
| | | in | out | | | telnetサーバ, tftpサーバ, | |
| | +----(↓)----+----(↑)----+ | | SGW, など | |
| +-----------------------------+ +-----------------------------+ |
| | | |
| (PP#1) ルータの自己アドレス |
| | | |
| +-----------------------------------------------------------------+ |
| | IPルーティング | |
| +-----------------------------------------------------------------+ |
| | | | | |
| (LAN1/Primary) (LAN1/Secondary) (LAN2/Primary) (LAN2/Secondary) |
| | | | | |
| +-----------------------------+ +-----------------------------+ |
| | IPフィルタ | | IPフィルタ | |
| | +----(↑)----+----(↓)----+ | | +----(↑)----+----(↓)----+ | |
| | | in | out | | | | in | out | | |
| | +----(↑)----+----(↓)----+ | | +----(↑)----+----(↓)----+ | |
| +-----------------------------+ +-----------------------------+ |
| | | | | |
| +-----------------------------+ +-----------------------------+ |
| | パケット・キュー | | パケット・キュー | |
| | (↑) +----(↓)----+ | | (↑) +----(↓)----+ | |
| | | queue | | | | queue | | |
| | (↑) +----(↓)----+ | | (↑) +----(↓)----+ | |
| +-----------------------------+ +-----------------------------+ |
| | | | | |
| +-----------------------------+ +-----------------------------+ |
| | イーサネットの処理 | | イーサネットの処理 | |
| +-----------------------------+ +-----------------------------+ |
| | | |
+-----------------+-----------------------------------+-----------------+
[LAN1] | [LAN2] |
| |
=================+================= =================+=================
NATディスクリプタ機能とパケットフィルタ機能とルーティング機能
:
[BRI] : 専用線
: RT140e/f
+-----------------+-----------------------------------------------------+
| | |
| +-----------------------------+ |
| | PPPやISDN回線の処理 | |
| +-----------------------------+ |
| | |
| +-----------------------------+ |
| | パケット・キュー | |
| | (↓) +----(↑)----+ | |
| | | queue | | |
| | (↓) +----(↑)----+ | |
| +-----------------------------+ |
| | |
| | <外側> |
| +-----------------------------+ |
| | NATディスクリプタ | |
| | +-(1)-+-(2)-+-(3)-+-(4)-+ | |
| | | ▲ | ▲ | ▲ | ▲ | | |
| | +-----+-----+-----+-----+ | |
| +-----------------------------+ |
| | <内側> |
| | |
| +-----------------------------+ +-----------------------------+ |
| | IPフィルタ | | 自己アドレスの処理 | |
| | +----(↓)----+----(↑)----+ | | | |
| | | in | out | | | telnetサーバ, tftpサーバ, | |
| | +----(↓)----+----(↑)----+ | | SGW, など | |
| +-----------------------------+ +-----------------------------+ |
| | | |
| (PP#1) ルータの自己アドレス |
| | | |
| +-----------------------------------------------------------------+ |
| | IPルーティング | |
| +-----------------------------------------------------------------+ |
| | | | | |
| (LAN1/Primary) (LAN1/Secondary) (LAN2/Primary) (LAN2/Secondary) |
| | | | | |
| +-----------------------------+ +-----------------------------+ |
| | IPフィルタ | | IPフィルタ | |
| | +----(↑)----+----(↓)----+ | | +----(↑)----+----(↓)----+ | |
| | | in | out | | | | in | out | | |
| | +----(↑)----+----(↓)----+ | | +----(↑)----+----(↓)----+ | |
| +-----------------------------+ +-----------------------------+ |
| | | | | |
| | <内側> | | <内側> | |
| +-----------------------------+ +-----------------------------+ |
| | NATディスクリプタ | | NATディスクリプタ | |
| | +-(1)-+-(2)-+-(3)-+-(4)-+ | | +-(1)-+-(2)-+-(3)-+-(4)-+ | |
| | | ▼ | ▼ | ▼ | ▼ | | | | ▼ | ▼ | ▼ | ▼ | | |
| | +-----+-----+-----+-----+ | | +-----+-----+-----+-----+ | |
| +-----------------------------+ +-----------------------------+ |
| | <外側> | | <外側> | |
| | | | | |
| +-----------------------------+ +-----------------------------+ |
| | パケット・キュー | | パケット・キュー | |
| | (↑) +----(↓)----+ | | (↑) +----(↓)----+ | |
| | | queue | | | | queue | | |
| | (↑) +----(↓)----+ | | (↑) +----(↓)----+ | |
| +-----------------------------+ +-----------------------------+ |
| | | | | |
| +-----------------------------+ +-----------------------------+ |
| | イーサネットの処理 | | イーサネットの処理 | |
| +-----------------------------+ +-----------------------------+ |
| | | |
+-----------------+-----------------------------------+-----------------+
[LAN1] | [LAN2] |
| |
=================+================= =================+=================
2つのPP側と2つのLAN側を図にしてみました。 経路を追ってゆくとNAT,IPマスカレード,パケットフィルタリングなどの 処理がどのように施されるかわかるかと思います。
: ISDN,専用線,...
PP側,BRI側 :
+--------------------------------+----------------------------------+
| [BRI1] |
| | | |
| | | ←pp bind bri |
| (PP#1) | | (PP#2) |
| +--------------------+ +--------------------+ |
| | | |
| +--------------+ +--------------+ |
| | NAT | ← nat use → | NAT | |
| |IPマスカレード| ← nat masquerade → |IPマスカレード| |
| +--------------+ +--------------+ |
| | | |
| +------------+ +------------+ |
| | IPフィルタ | ← ip pp secure filter → | IPフィルタ | |
| +------------+ +------------+ |
| | | |
| +------+-------------------------------------------+--------+ |
| | | |
| | IPルーティング | |
| | | |
| +------+-------------------------------------------+--------+ |
| | | |
| +------------+ +------------+ |
| | IPフィルタ | ← ip lan? secure filter → | IPフィルタ | |
| +------------+ +------------+ |
| | | |
| [LAN1] [LAN2] |
+----------+-------------------------------------------+------------+
| |
LAN1側 | | LAN2側
===========+===================== ===================+=============
| 出口\入口 | LAN1 ↓ | LAN2 ↓ | PP#1 ↓ | PP#2 ↓ |
| LAN1← | IN ↓ IPルーティング ↓ △ |
IN ↓ IPルーティング ↓ OUT |
NAT ↓ IN ↓ IPルーティング ↓ OUT |
NAT ↓ IN ↓ IPルーティング ↓ OUT |
| LAN2← | IN ↓ IPルーティング ↓ OUT |
IN ↓ IPルーティング ↓ △ |
NAT ↓ IN ↓ IPルーティング ↓ OUT |
NAT ↓ IN ↓ IPルーティング ↓ OUT |
| PP#1← | IN ↓ IPルーティング ↓ OUT ↓ NAT |
IN ↓ IPルーティング ↓ OUT ↓ NAT |
NAT ↓ IN ↓ IPルーティング ↓ × |
NAT ↓ IN ↓ IPルーティング ↓ OUT ↓ NAT |
| PP#2← | IN ↓ IPルーティング ↓ OUT ↓ NAT |
IN ↓ IPルーティング ↓ OUT ↓ NAT |
NAT ↓ IN ↓ IPルーティング ↓ OUT ↓ NAT |
NAT ↓ IN ↓ IPルーティング ↓ × |
[ 図説している機能 ]
+--------------------------------------------------------------------------+
| +-----------------------------+ |
| IKEパケット | セキュリティ・ゲートウェイ | IKEパケット |
| IPsecパケット | | IPsecパケット |
| ┏━━━━→ | +------------+------------+ | →━━━━┓ |
| ┃ | | AH,ESP受信 | AH,ESP送信 | | ┃ |
| ┃ | +----(↓)----+----(↑)----+ | ┃ |
| ┃ | | 復号化 | 暗号化 | | ┃ |
| ┃ | +----(↓)----+----(↑)----+ | ┃ |
| ┃ +-----------------------------+ ┃ |
| ┃ ↓ ↑ ┃ |
| ┃ +-----------------------------+<外側> ┃ |
| ┃ | NATディスクリプタ | ┃ |
| ┃ | +-(1)-+-(2)-+-(3)-+-(4)-+ | ┃ |
| ┃ | | ▲ | ▲ | ▲ | ▲ | | ┃ |
| ┃ | +-----+-----+-----+-----+ | ┃ |
| ┃ +-----------------------------+<内側> ┃ |
| ┃ ↓ ↑ ┃ |
| ┃ +-----------------------------+ ┃ |
| ┃ | IPフィルタ | ┃ |
| ┃ | +----(↓)----+----(↑)----+ | ┃ |
| ┃ | | in | out | | ┃ |
| ┃ | +----(↓)----+----(↑)----+ | ┃ |
| ┃ +-----------------------------+ ┃ |
| ┃ ↓ ↑ ┃ |
| ┃ ↓ (TUNNEL#m)↑ ┃ |
| ↑ ↓ ↑ ↓ |
| +------------------------------------------------------------------+ |
| | IPルーティング | |
| +------------------------------------------------------------------+ |
| | | |
| (LAN) (PP#n) |
| | | |
| +-----------------------------+ +-----------------------------+ |
| | IPフィルタ | | IPフィルタ | |
| | +----(↑)----+----(↓)----+ | | +----(↑)----+----(↓)----+ | |
| | | in | out | | | | in | out | | |
| | +----(↑)----+----(↓)----+ | | +----(↑)----+----(↓)----+ | |
| +-----------------------------+ +-----------------------------+ |
| | | |
| | <内側> | <内側> |
| +-----------------------------+ +-----------------------------+ |
| | NATディスクリプタ | | NATディスクリプタ | |
| | +-(1)-+-(2)-+-(3)-+-(4)-+ | | +-(1)-+-(2)-+-(3)-+-(4)-+ | |
| | | ▼ | ▼ | ▼ | ▼ | | | | ▼ | ▼ | ▼ | ▼ | | |
| | +-----+-----+-----+-----+ | | +-----+-----+-----+-----+ | |
| +-----------------------------+ +-----------------------------+ |
| | <外側> | <外側> |
| | | |
| +-----------------------------+ +-----------------------------+ |
| | パケット・キュー | | パケット・キュー | |
| | (↑) +----(↓)----+ | | (↑) +----(↓)----+ | |
| | | queue | | | | queue | | |
| | (↑) +----(↓)----+ | | (↑) +----(↓)----+ | |
| +-----------------------------+ +-----------------------------+ |
| | | |
| +-----------------------------+ +-----------------------------+ |
| | イーサネットの処理 | | PPPやISDN回線の処理 | |
| +-----------------------------+ +-----------------------------+ |
| | | |
+-----------------+------------------------------------+-------------------+
| :
[LAN] | [BRI] : ISDN回線 or 専用線
| :
------------------+--------------------
[ 関連情報 ]
[ FAQ for RT-Series ]
[ FAQ for IP Packet Filter / files / TCP/IP ]